What Would A Cyber Attack On A Major City Look Like?

Hardly a month goes by without a government agency somewhere in the world warning about the consequences of a major cyber attack.

In the scenario below, we outline the consequences of such an attack on a large metropolis.

A major risk to populations and businesses stems from the fact that so much of the modern urban environment is dependent on constant electricity supplies and instant communications. While a loss of power may not necessarily generate panic, a sustained blackout in telecommunications could before long lead to widespread fear, as the public would not know how long the loss of electricity and communications would last.

Let us imagine for scenario’s sake that a cyber attack shut down the electricity grid of a major city in a major economy. This would create immediate problems, as people would lose the use of lighting and power in the first instance, and with it, experience the loss of data. In the second instance, water supplies would be disrupted, because electricity is used to pump water.

At the same time, urban infrastructure would be severely affected, as traffic lights shut down (requiring motorists to drive slowly and much more carefully) and railway systems ground to a halt. Businesses would lose the ability to conduct electronic transactions, and shops and restaurants would stand to lose perishable goods through the loss of refrigeration. If the shutdown lasted days, then the disruption to business activities would take a big toll on the economy.

While a ‘typical’ power blackout in itself is not so unusual in small areas of cities, and would thus not lead to panic, a city-wide blackout could cause fear to spread, if it prevailed for more than a day or so. This would be exacerbated if the power loss was accompanied by a collapse of mobile and fixed-line communications, because citizens would find it difficult to determine how widespread the shutdown was, or how long it would last. Even if the mobile network kept functioning, the power cut would prevent people from recharging their phones, and the networks could be overloaded with phone calls.

Assuming that the cyber attack struck during working hours, most people would presumably go home, although this could take many hours if traffic lights were down and rail services stopped running.

The disruptiveness of a cyber attack on an urban area would depend on the time of day and the time of year that the attack took place, and the latitude of the targeted city. Clearly, if the blackout occurred during rush hours, the disruption would be maximised. A daytime cyber attack would mitigate the problems caused by loss of electrical lighting, but it would exacerbate problems caused by a loss of refrigeration (especially in a hot country). A cyber attack on a temperate zone city in winter could potentially kill thousands of people, especially the elderly, if the power shutdown resulted in people freezing to death in their homes.

We believe that in the event of a cyber attack shutting down major urban infrastructure, the government would be reluctant to admit the origin of the problem (indeed, it might not even know the cause immediately), and would thus cite technical problems for the disruption. Even so, the government might struggle to convey communications to residents of the affected areas, if electricity and communications were down. People with battery-operated radios would be able to receive news reports and official advice, but not everyone has such radios nowadays. Car owners would of course be able to receive radio transmissions in their cars.

As long as a cyber attack-induced blackout did not last more than a day or two, there would be no reason to expect serious public disorder. However, if the shutdown dragged on for several days, then urban residents could start running out of food and water. The authorities could respond by deploying water and food delivery trucks to mitigate civil disorder risks, but there would still be a risk of looting of supermarkets as people helped themselves to food and drink. Other retail outlets would also be at risk of looting, as opportunists took advantage of the shutdown of public video cameras to steal non-essential items such as electronic goods.

Clearly, matters would be worse if the authorities themselves became paralysed by the cyber attack – although we would expect that the government would have contingency plans to keep itself functioning at such times.

Over the past 10-20 years, there have been several massive blackouts affecting tens of millions of people over large areas, in countries and regions as diverse as north-eastern North America (2003), Italy (2003), Brazil and Paraguay (2009), and most notably large parts of India in July 2012. These serve as test cases for a cyber attack – although arguably the blackout in north-eastern North America is less relevant as a simulation for the present day because people are much more ‘dependent’ on their mobile phones than in 2003.

Natural disasters such as earthquakes and major floods also serve as a test case for a government’s response to a cyber attack, because the presumed consequences of a cyber attack – namely the loss of power and communications – are similar to that of a natural disaster.

Unsurprisingly, countries which are less urbanised and less dependent on modern infrastructure are arguably better placed to cope with cyber attacks, if only because their citizens are more accustomed to life without constant electricity, mobile phones, and complex distribution systems.

One of the themes that BMI is exploring is how more and more household goods and transportation are being increasingly linked to the internet. This being, the case, cyber attacks in the future will be worse than today, as more ‘stuff’ gets linked to computer networks.